[Swan] Secure VPN Setup

Paul Wouters paul at nohats.ca
Thu Apr 21 19:55:14 UTC 2016

On Wed, 20 Apr 2016, Kenny wrote:

> Can anyone offer any suggestions if they have already done the research?  I am a bit opposed to doing
> 2-factor authentication by introducing other software into the mix = increasing the attack surface.  But
> would like to do some other form of 2 factor authentication, like a USB stick or smart card or something, is
> this possible using x.509 with pam?

you can do X.509 or PSK for the IKE SA, then add XAUTH authentication on
top. xauth can be a password file on the server, system pam, custom pam
module, etc. google-authenticator works too.

use xauthby=pam and create /etc/pam.d/pluto with your pam configuration.
google authenticator example can be found at


> I’d like to use IKEv2 with the strongest configuration possible – but have had some issues in finding whether
> or not  I can utilize client certificates AND a username and password, or if there are custom checks I can do
> on the host (registry values, software installed, certain services running, etc.) I don’t think this is
> possible but wanted to ask anyway.

IKEv2 only supports EAP as second authentication, and we do not yet
support that (it is heavilly intertwined with openssl while we use nss)

> I’d like to avoid NIST recommendations if possible because I don’t trust the selection process….

Well, if you don't like 3des or aes or aes_gcm you can use camellia or
twofish or even cast5.

> For some base requirements I’m thinking – main mode, IPv4 only as I don’t trust IPv6 in any way yet, the

main mode only applies to IKEv1, not IKEv2.

> strongest encryption algorithm (CHACHA?), the most entropic pseudo-random function PRF_HMAC_SHA2_512?, the

chacha20poly1305 is not yet supported. We are waiting on the next
release of NSS which will have chacha20poly1305 support.

> strongest hashing integrity algorithm AUTH_HMAC_SHA2_512_256?, the strongest ESP encryption = AES-CBC
> (SUCKS), the strongest ESP authentication algorithm = AES-GMAC with AES-128?, the strongest DH transform

It's all relative, but yes any of the SHA2 HMAC/PRF constructs are safe
(in fact so is HMAC SHA1 and even HMAC MD5)

We do not support AES-GMAC. You can use AES_GCM or AES_CCM for ESP. Or
as I said, AES_CBC, 3DES, TWOFISH, CAST or Camellia.

> brainpoolP512r1?,

We only support DH MODP groups, no curves. MODP2048 or higher is fine,
just stay away from DH 22,23,24.

> strongest certificate (and way to most safely secure password for cert) and hashing
> algorithm SHA3? and other attributes public key size limit = 4096 8192 do we know what the threshold is where

There is no SHA3 for IKE/IPsec yet.

> we may be introducing other issues obviously we don’t need to go with something insanely high but I don’t
> want it to even be possible assuming that governments lie about computing power which they do? Prime number
> generate for seeding for certificate with a limit on value lower bounds, the strongest , no compression,
> strongest hash algorithm SHA2-512 hash algorithm?, strongest secure password method PACE?

passwords would all be based on the underlying scheme. XAUTH means
plaintext (but encrypted under the IKE SA), and EAP can mean any method.

> 1.)    Can I do main mode IKEv2 with a remote access to VPN server NAT-T setup?

IKEv2 has just one mode. There is no "main mode" or "aggressive mode" in

> 2.)    Can I do AH and ESP with this setup, or is AH or ESP alone more secure, I know AH is typically tunnel
> and ESP is typically transport but there are differing opinions online?

Forget AH. ESP always contains AH. when you specify esp= you specify
both an encryption and an authentication algorithm.

> 3.)    Can I do client certificate and password without using another product piece of software that relies
> on an external source e.g. google or RSA tokens one OTP

note google authenticator does not rely on google. It is not a
"service". Same for certificates. It is all constrained to your
own generated CA cert.

>  – maybe a usb stick or smart card or some other
> software token that does not have to reach out externally? My concern is the VPN server having to get this
> information primarily – best case scenario would be cert and pass PLUS a google OTP or RSA token number. I
> know I’m reaching on this one, just wondering what thinking out of the box solutions there might be that
> libreswan is capable of doing

You can generate/store the NSS database with certificates onto a
smartcard or HSM. Anything PKCS#11 should work.

> 4.)    Can I check host configuration and OS or other software attributes before finalizing (finalizing
> meaning at whatever point would be secure and still possible)

You could run in FIPS mode, which enforces integrity checks of the
kernel, NSS and libreswan using the fipscheck library (and kernel code)

> 5.)    Can anyone list the most secure of each IKEv2 spec?  In my research the ones I’ve listed above are the
> best – chacha, brainpool, SHA2, public key sizes greater or equal to 4096 – but for the others I don’t know –
> like ESP, AH, PRF, hashing integrity algorithm, prime number seeding with boundaries on low numbers,  secure
> password method, etc.

That's a long debate you can fight out on one of the crypto lists :)


More information about the Swan mailing list